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TikTok Ireland's Submission to the Data Protection Commission on the Fundamentals for a 
Child-Oriented Approach to Data Processing 


1 Introduction 


TikTok Technology Limited ("TikTok Ireland") welcomes and appreciates the opportunity 
to make a submission to the Data Protection Commission (the "DPC") on The 
Fundamentals for a Child-Oriented Approach to Data Processing (the "Fundamentals"). 


TikTok Ireland warmly welcomes the Fundamentals and shares the DPC's commitment to 
providing enhanced privacy protections for our younger users. This commitment is reflected 
in our policies1, the design of our service (including our default settings)? and the 
information and tools we offer younger users and their caregivers.* Recital 38 GDPR states 
that children merit specific protection and we appreciate the DPC providing clarification of 
its expectations of organisations that process their personal data. In this submission, 
TikTok Ireland seeks to highlight areas where further guidance or clarification on the 
practical application of the Fundamentals would be helpful. We have also identified where 
the guidance might be slightly adapted to ensure it fully accounts for the complexities of 
assessing and determining the best interests of the child. 


2 Comments 
2.1 The landscape of children's rights 
The best interests of the child 


The Fundamentals underscore that children are entitled to enhanced privacy protections 
and note that the "best interests of the child’ are paramount, citing foundational rights 
established in the UN Convention on the Rights of the Child ("UNCRC"). Four of the 
Fundamentals include an express requirement to consider the best interests of the child 
and "The core message of these Fundamentals is that the best interests of the child must 
always be the primary consideration in all decisions relating to the processing of their 
personal data." 


TikTok Ireland fully agrees the best interests of the child are paramount and we would 
welcome further guidance in the Fundamentals on how to apply this in practice. In 
particular, given that Article 3(1) UNCRC states "the best interests of the child shall be a 
primary consideration" which needs to be considered in the context of all of the UNCRC 


! For example, we want to ensure younger users understand what information we collect and how we handle it, so we have 
created an in-app summary of our Privacy Policy aimed specifically at under 18s. 

2 For example, in January 2021, TikTok announced changes for users under 18 aimed at driving higher default standards 
for user privacy and safety. In particular, we changed the default account type of all TikTok users who are under the age of 
16 - whether new or existing users - to private (please see Strengthening privacy and safety for youth on TikTok for further 
details). These changes built upon existing design-based protections for younger users: under 16s cannot host a Live 
Stream or use our direct messaging function and under 18s cannot send or receive virtual gifts. 


3 In addition to the privacy and safety resources in our Safety and Help Centres, TikTok has a dedicated Youth Portal and 
For Parents page where teens and caregivers can learn more about the privacy and safety tools and controls built into 
TikTok. We also have a series of videos presenting these tools and controls in an accessible and easy to understand 
fashion (an approach that is consistent with feedback we received directly from teens and their caregivers on how they 
would like to see information presented). Additionally, our Family Pairing tool allows teens and caregivers to customise their 
privacy and safety settings based on individual needs. 


4 "zero interference”, "let children have their say 
5 Fundamentals, p.3. 
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conferred rights, we would be grateful for further guidance on: (i) how, in practice, 
organisations might conduct the balancing exercise needed to assess and determine 
whether a particular processing activity is in the best interests of the child (given the 
potential for a single processing activity to promote some UNCRC rights whilst potentially 
interfering with others in circumstances where no particular right takes precedence”); and 
(ii) how they might demonstrate the same. 


Legal bases for processing children's personal data 


We welcome the confirmation in the Fundamentals that consent is not the only legal basis 
for processing children's personal data and that organisations are free to choose any of the 
six legal bases in Article 6 GDPR (subject to the circumstances of the processing properly 
falling within the scope of the relevant legal basis) .® 


In the context of the legal basis provided for by Article 6(1)(f) GDPR, the Zero Interference 
Fundamental says: "organisations processing children's data in reliance on this legal basis 
should ensure that legitimate interests pursued do not interfere with, conflict with or 
negatively impact, at any level, the best interests of the child. In circumstances where there 
is any level of interference with the best interests of the child, this legal basis will not be 
available for the processing of children's personal data.” TikTok Ireland agrees that a child- 
specific and centric approach must be inherent in any legitimate interest assessment 
involving the processing of children's data and that the rights of a child merit particular 
protection. However, we respectfully consider that the Zero Interference Fundamental may 
act as a barrier to processing that is in the child's best interests but is nevertheless not 
capable of satisfying the Zero Interference requirement for there to be no level of 
interference - as a requirement for processing to cause no interference at all appears to be 
a particularly high bar. 


If there is a significant restriction on the ability for organisations to rely upon Article 6(1)(f) 
GDPR to process children's personal data, the unintended consequence of the Zero 
Interference Fundamental may be that no legal basis is available and that certain 
processing activities must cease. This is because the Fundamentals recommend 
organisations carefully consider reliance on Article 6(1)(b) GDPR!? and that, in the absence 
of parental authorisation, Article 6(1)(a) GDPR is not available to users in Ireland under the 


§ In its General comment No. 14 (2013) on the right of the child to have his or her best interests taken as a primary 
consideration, the Committee on the Rights of the Children explains the important of considering all UNCRC rights when 
assessing what is in the best interests of the child: ‘The concept of the child's best interests is complex and its content must 
be determined on a case-by-case basis. It is through the interpretation and implementation of article 3, paragraph 1, in line 
with the other provisions of the Convention, that the legislator, judge, administrative, social or educational authority will be 
able to clarify the concept and make concrete use thereof. Accordingly, the concept of the child's best interests is flexible 
and adaptable. It should be adjusted and defined on an individual basis, according to the specific situation of the child or 
children concerned, taking into consideration their personal context, situation and needs. For individual decisions, the child's 
best interests must be assessed and determined in light of the specific circumstances of the particular child. For collective 
decisions - such as by the legislator-, the best interests of children in general must be assessed and determined in light 
of the circumstances of the particular group and/or children in general. In both cases, assessment and determination should 
be carried out with full respect for the rights contained in the Convention and its Optional Protocols." 

In General comment No. 14 (2013), the Committee on the Rights of the Children explains: "The concept of the child's best 
interests is aimed at ensuring both the full and effective enjoyment of all the rights recognized in the Convention and the 
holistic development of the child... there is no hierarchy of rights in the Convention; all the rights provided for therein are in 
the "child's best interests" and no right could be compromised by a negative interpretation of the child's best interests." 

8 Fundamentals, p.21-22. 
9 Fundamentals, p.24. 


10 "Given the complexities, nuances and antiquated nature of elements of this area of Irish contract law" Fundamentals, 
p.22. 
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age of 16. We would be grateful for further guidance on how to reconcile this potential lack 
of legal basis with the need to not shut out younger users or downgrade their experience. 


When determining the applicability of Article 6(1)(f) GDPR, perhaps the Zero Interference 
Fundamental could affirm the balancing exercise must be stricter/more onerous but without 
adopting the position that any level of interference renders the legal basis unavailable. It 
would also be helpful for the Fundamentals to acknowledge the potential for the balancing 
exercise to take account of the implementation of proportionate measures and safeguards 
to satisfactorily mitigate any risks and protect the child's best interests. Such an approach 
would accord with the general EU law proportionality principle (i.e. that actions should not 
exceed what is necessary to achieve the objectives) and with GDPR which, as explained 
in Recital 4, acknowledges that: "The right to the protection of personal data is not an 
absolute right; it must be considered in relation to its function in society and be balanced 
against other fundamental rights, in accordance with the principle of proportionality. This 
Regulation respects all fundamental rights and observes the freedoms and principles 
recognised in the Charter as enshrined in the Treaties, in particular the respect for private 
and family life, home and communications, the protection of personal data, freedom of 
thought, conscience and religion, freedom of expression and information, freedom to 
conduct a business, the right to an effective remedy and to a fair trial, and cultural, religious 
and linguistic diversity". 


Insummary, TikTok Ireland fully agrees that the best interests of the child are paramount 
and we ask that the DPC consider: 


e Providing guidance on how to assess and determine whether a particular processing 
activity is in the best interests of the child and on how to demonstrate the same; and 


e Reflecting, within the Zero Interference Fundamental, that processing which is in the 
best interests of the child and in respect of which any necessary measures and 
safeguards have been implemented to satisfactorily mitigate any risk, may still be 
grounded on Article 6(1)(f) GDPR without the need to demonstrate that the processing 
does not involve any level of interference. 


Transparency and children 


We welcome the clarity the Fundamentals provide with respect to the DPC's expectations 
regarding the level and methods of transparency to be provided by organisations that 
process children's personal data.!! The acknowledgement that children have additional 
needs and evolving capabilities and developmental capacities is also welcome. 


The requirement that "an organisation should provide explanations to children as to why 
certain settings are automatically switched to off or denied to them by default"? supports a 
fully transparent approach to product design. We would be grateful for further guidance on 
how an organisation might comply with this requirement in a manner which does not also 
encourage younger users to seek to circumvent such measures in order to attempt to gain 


Fundamentals, p.26-30. 
12 Fundamentals, p.30. 
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access to any restricted/denied features (as it is anticipated that organisations could run 
into difficulty when attempting to balance these two conflicting positions) .'° 


TikTok Ireland is supportive of providing transparency information "throughout the user 
experience"'4 and of using "just-in-time notifications to inform children and young people 
about any possible risks or consequences involved in sharing their personal data at a 
particular moment in time." We note that it's important to strike a balance (as reflected in 
Recital 32 GDPR) between providing just-in-time notices in a manner that supports timely 
transparency without desensitising younger users to their effectiveness (as a result of "pop- 
up fatigue"). 


In summary, we ask that the Fundamentals provide greater clarity as to: 


e How to strike a balance between providing transparency to younger users regarding 
features that (due to their age) are unavailable or off by default without prompting them 
to seek to circumvent such measures. 


Exercising children's data protection rights 


The Fundamentals are clear that children are data subjects with the same data protection 
rights afforded to adults under GDPR. This accords with TikTok Ireland's own belief that its 
younger users should be able to exercise their own data subject rights (once all relevant 
legislation permits). 


With regard to situations where a parent or guardian does seek to exercise data subject 
rights on behalf of a child, we would welcome further advice as to the level of verification 
that would be deemed appropriate to identify legitimate parents or guardians of younger 
users for the purpose of data subject requests. 


We would also welcome the inclusion in the Fundamentals of guidance on how 
organisations might handle requests from a parenUguardian seeking to exercise a younger 
user's data subject right(s) in circumstances where the younger user: (i) has not 
communicated with the organisation on the matter; or (ii) has explicitly expressed their 
desire for the parenUguardian's request to be rejected. It would be beneficial to understand 
how an organisation should determine which party should be given preference in these 
instances. Were the Fundamentals adapted to provide additional guidance and clarity on 
these points, it would assist organisations in assessing and determining how to act in the 
best interest of the child. 


Insummary, we ask that the Fundamentals provide further guidance on: 


¢ Authentication methods for verifying parents/guardians who are making request(s) on 
behalf of a younger user; 


e Processing a data subject request submitted by a parent where the younger user (the 
data subject) has not expressly consented or has expressly asked the controller to 
reject such a request; and 


13 Fundamentals, p.42. 


14 Fundamentals, p.30. 
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e Assessing the best interests of a child in light of UNCRC Article 3(1) and data subject 
rights, per Articles 15-22 GDPR. 


Age of digital consent and age verification 


Age verification 


We appreciate the Fundamentals’ recognition that this is an area which continues to 
develop and that age assurance and verification remain challenging topics for many 
platforms. TikTok Ireland is committed to exploring innovative solutions in these areas 
despite these challenges. 


The Fundamentals suggest that even where Article 8 GDPR is not engaged, an 
organisation may need to verify the age of its users either: 


(i) to determine whether a user is old enough to access its service (since the guidance 
supporting the Minimum User Ages Aren't an Excuse Fundamental provides that: "Where 
a service provider stipulates that their service is not for the use of children below a certain 
age, they should take steps to ensure that their age verification mechanisms are effective 
at preventing children below that age from accessing their service");'° and/or 


(ii) "to provide a "child-friendly" version of a service which attracts a mixed user audience 
i.e. by offering enhanced data protection settings/features for child users, in line with the 
requirements of these Fundamentals"’® (i.e. where, in line with the Floor of Protection 
Fundamental, an organisation chooses to apply the protections set out in the Fundamentals 
only to children rather than to all data subjects). 


We understand organisations are required to take a risk-based approach to verifying the 
age of a user in both of these scenarios and it would be helpful for the Fundamentals to 
provide further guidance on the factors that would go in favour of a more or less stringent 
age verification method and on how a risk-based approach would, in practice, influence the 
choice of age verification method(s).!” 


We would also be grateful for clarification on whether the DPC considers on-platform age 
verification solutions to be appropriate as part of a holistic strategy. This is because the 
word "preventing" in the Minimum User Ages Aren't An Excuse Fundamental could be read 
to imply that organisations will be expected to deploy age verification methods exclusively 
at the account registration stage to effectively stop all underage users accessing their 
service. Requiring services to implement the most stringent age verification measures at 
this stage would likely necessitate the collection of official identifiers and it is unclear how 
this could be reconciled with the requirements of data minimisation, 18 proportionality, or 
with the need to not shut out younger users and those from lower socioeconomic groups.” 


The Fundamentals also note the potential for the use of artificial intelligence; if the DPC 
envisages the deployment of age estimation models at the account registration stage, we 


'S Fundamentals, p.43. 

16 Fundamentals, p.41. 

17 The non-exhaustive list of criteria in Section 5.3 of the Fundamentals is helpful but we are unclear whether the examples 
listed after each heading are intended to be considered as indicative of a particular level of risk or of how this then relates 
to the level of stringency required by the chosen age verification method. 

18 In respect of which we note the DPC's recent Groupon decision Groupon International Limited - December 2020. 

1? Since many younger users will not have national IDs or passports. 
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would be grateful for further guidance on how to approach this where limited/no behavioural 
signals are available and on how to reconcile the use of these models with the statements 
made inthe Fundamentals about the use of profiling. 


In light of these challenges, we would welcome confirmation in the Fundamentals that age 
verification for the purposes described in (i) and (ii) above need not be completed at the 
account registration stage but can form part of a wider age assurance strategy which starts 
during registration and continues thereafter (in the interests of balancing risk, 
proportionality and the need to avoid creating potentially unfair barriers to access). 


The Fundamentals also note that an alternative to age verification in these scenarios is for 
an organisation to provide a Floor of Protection to all users regardless of age. Further 
guidance as to how to determine and demonstrate whether an organisation has 
implemented a floor of protection would be welcome. 


In summary, we ask that the DPC provides further guidance on age verification, on: 


e The factors to determine the relationship between the level of risk raised by 
processing activities and the appropriate level of stringency required by the chosen 
age verification method(s); 


e+ Whether age verification for the purposes of the Floor of Protection and Minimum User 
Ages Aren't An Excuse Fundamentals has to be completed at the account registration 
stage or whether it can form part of a wider age assurance strategy which starts during 
registration and continues on platform; and 


e — Factors/elements that an organisation will need to satisfy in order to be considered as 
having, and be able to demonstrate, a floor of protection. 


Age of digital consent 


The Fundamentals also appear to adopt a risk-based approach to parental consent.”° 
Similar to the above, further guidance would be appreciated here (in terms of examples of 
low, medium and high risk processing activities and how these might relate to acceptable 
methods of verification). 


In terms of possible methods, we note that the Fundamentals list the Federal Trade 
Commission's ("FTC") methods for complying with similar obligations?!. It would be helpful 
for the Fundamentals to explain whether these constitute acceptable methods and, if so, 
when. 


Insummary, we ask that the Fundamentals provide greater clarity regarding verification in 
the context of the age of digital consent, mainly: 


e Further guidance and examples as to how organisations should adopt a risk-based 
approach to verification of parental consent; and 


2 


(0) 
Fundamentals, p.40; "As with age verification for the purposes of establishing whether a user is a child (see Section 5.3), 


the DPC considers that a proportionate and risk-based approach should be adopted. This entails a requirement for greater 
stringency/levels of certainty provided by the particular verification process where the processing of personal data 
undertaken by the organisation poses higher risks to the user based on the criteria identified in Section 5.7 below." 


21 Fundamentals, p.40-41. 
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* Confirmation of whether (and if so when) the FTC's methods for parental verification 
may be appropriate. 


Direct marketing, profiling, and advertising 


As outlined above, TikTok Ireland fully supports the need for the best interests of the child 
to be paramount. The Fundamentals contain certain statements regarding the use of 
profiling which we respectfully suggest may have the unintended consequence of impacting 
younger users negatively and in a way that is contrary to their best interests. 


A presumption against profiling (including for purposes other than ads and marketing) risks 
simplifying the complexities of the balancing exercise that is required to assess and 
determine what is in the child's best interests. 


It also potentially overlooks the ways profiling may be used to promote, respect and protect 
a child's UNCRC rights and may be difficult to reconcile with the requirements of other 
Fundamentals. For example, profiling may be used to estimate an individual's age to 
ensure they are old enough to use a service or to provide them with an age-appropriate 
experience. For many organisations, profiling will form a key component of the core 
feature(s) of their service and will help promote the rights of the child (for example, their 
rights to freedom of expression, association, leisure, play and culture). 


In light of the above, we would respectfully request that the Prohibition On Profiling 
Fundamental and the supporting guidance be adapted to further reflect the complexities of 
the child's best interests and to provide guidance on how a strong presumption that profiling 
is not in the best interests of the child can be reconciled with the requirements of other 
Fundamentals (including the requirement to not deprive younger users of a rich service 
experience or of access to central features) .” 


Insummary, we ask that the approach the Fundamentals adopt with regard to profiling be 
adapted: 


e To further reflect the complex balancing exercise that is required to assess and 
determine what is in the best interests of the child and to contain more fulsome 
acknowledgement of the ways profiling may be used to promote, respect and protect 
a child's UNCRC rights. 


Tools to ensure a high level of data protection for children 


Data Protection Impact Assessments 


We fully agree with the need for a Data Protection Impact Assessment ("DPIA") to 
incorporate due consideration of specific issues with regard to the processing of children's 
data and would welcome additional guidance in this area. 


In particular, it would be helpful for the Fundamentals to provide additional clarity on how 
organisations might best utilise the best interests of the child as "one of the primary risk 
evaluation tools when carrying out a DPIA"23 and how, from a documentation and 
accountability perspective, they might "show how the best interests principle has driven the 
design, development, implementation and/or operation of any service which is directed 


Fundamentals, p.7. 


23 Fundamentals, p.58. 
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at/intended for, or is likely to be accessed by, children and how measures implemented are 
effective in achieving this.” Further details of how, in practice, a DPIA might be structured 
to demonstrate how an organisation has "consider[ed] cumulative risk as part of its risk 
assessment process"? would also be greatly appreciated. 


Recommended measures for incorporating data protection by design and by default to 
promote the best interests of child users 


We welcome the examples of the measures organisations may incorporate to comply with 
the data protection by design and by default principles though respectfully highlight that 
these may not always be appropriate. In particular: 


Default privacy settings: Where a teenager makes a choice to change a default 
privacy setting, a requirement to "automatically switch back to the default setting" 
at the end of the session would appear to conflict with other aspects of the 
Fundamentals. For example, it would remove user choice” (i.e. younger users 
should be allowed to switch off default settings and have these choices respected 
- particularly as they get older, given the Article 5 UNCRC requirement to take 
account of a child's evolving capacities). Provided younger users are given prior, 
adequate transparency information about the consequences of switching off or 
changing a privacy setting, we respectfully consider that it would be in the best 
interests of the child for that choice to be respected. 


Parental involvement: A number of the measures relate to parental controls or 
oversight. Whilst in most cases the Fundamentals acknowledge that this may not 
always be appropriate, some of the language suggests parental involvement will 
always be required regardless of the developmental capacity or age of the child 
(see, for example, the provisions on sharing and visibility?” and audience controls?8). 
It would be helpful for the Fundamentals to clarify that these measures will not 
always be appropriate and to reiterate that the best interests of the child involves 
balancing the responsibilities, rights and duties of parents/caregivers to provide 
guidance in the exercise of a child's rights against the rights and capabilities of 
children exercising their own rights on their own behalf.” 


In summary, we ask that the recommended measures be adapted, mainly: 


e To recognise that where a younger user chooses to change their default privacy 
settings, that choice be respected taking into account their evolving capacities and 
development stage; and 


2 Fundamentals, p.59. 

25 Fundamentals, p.62. 

26 Discussed in Section 7.3 of the Fundamentals. 

27 "Do not systematically share a child's personal data with third parties without clear parental knowledge, awareness and 
control; build in parental reminders/notifications in relation to subsequent sharing activity. Do not make children's identity 
or contact information available to others without parental knowledge, awareness and the opportunity for intervention." 
Fundamentals, p.60. 

28 "Contact from others outside of the child's authorised contacts should be not possible for younger children without 
parental knowledge, awareness and intervention." Fundamentals, p.61. 

29 The Fundamentals recognise this at p.35, "the closer the child is to the age of 18, the more likely it is that an organisation 
holding the child's personal data should deal directly with the child themself, rather than involving the parent/guardian." 
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e To reflect the fact that parental/caregiver control or involvement is not always in the 
best interests of the child. 


nclusion_and timeline for complian 


In conclusion, TikTok Ireland welcomes and supports the Fundamentals and the clarity they 
provide. The privacy of our younger users is a key priority for us and guidance from our lead 
supervisory authority as to its expectations in this area is greatly appreciated. 


We note that the DPC previously afforded a 6 month grace period following the publication of 
updated cookies guidance and the Information Commissioner's Office provided a 12 month 
grace period following the adoption of its Age Appropriate Design Code. 


Given that the Fundamentals constitute a thorough, detailed and substantial piece of new 
guidance, we respectfully recommend that organisations be afforded an appropriate grace 
period - such as that adopted by the Information Commissioner's Office - between the 
publication of the final version of the Fundamentals and the commencement of enforcement 
to ensure an opportunity for organisations to meaningfully engage, adopt and implement the 
Fundamentals and to embed them into future product design processes. 


TikTok Technology Limited 


